Content
View differences
Updated by Andreas Pfohl over 2 years ago
Microsoft Graph-API does not support restoring item in the SharePoint recycle bin. It's only possible through the old SharePoint API.
To delete an item via the API, you can use the following request:
```curl
curl --location --request DELETE 'https://graph.microsoft.com/v1.0/drives/{{dirveId}}/items/{{itemId}}' \
--header 'Authorization: Bearer xyz'
```
That will move the item into the trash bin of your Sharepoint site.
To list the trash bin there is a beta API available for the Graph-API:
```curl
curl --location 'https://graph.microsoft.com/beta/sites/{{siteId}}/recycleBin/items/' \
--header 'Authorization: Bearer xyz'
```
To finally restore an item you need to have set up JWT token authentication for the Sharepoint API. In order to do that, you need to have a certificate and secret prepared and the secret uploaded to the Azure APP creadentials page:
<img class="op-uc-image op-uc-image_inline" style="width:852px;" src="/api/v3/attachments/86121/content">
To create a certificate I attached a script you can run: `cert.sh`. You need to prepare the certificate an the key before you can actually use them:
```shell
penssl pkcs12 -in MyCert.pfx -nocerts -out MyCert.pem
openssl rsa -in MyCert.pem -out MyKey.pem
```
You can upload `MyCert.pem` to the Azure App and leave the `MyKey.pem` alone.
\-------------------
Next thing is, to create a JWT token. For this to happen, you need to make a request to you tenant:
```curl
curl --location 'https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token' \
--form 'grant_type="client_credentials"' \
--form 'client_id="{{clientId}}"' \
--form 'scope="https://finn.sharepoint.com/.default"' \
--form 'tenant="{{tenantId}}"' \
--form 'client_assertion="{{clientAssertion}}"' \
--form 'client_assertion_type="urn:ietf:params:oauth:client-assertion-type:jwt-bearer"'
```
In order to obtain the \`client\_assertion\` to need to actuallt create the JWT. I wrote a program with C# as I was in the context of researching Microsoft docs and found some things that just worked out of the box. They need to be translated to Ruby or another micro service:
```csharp
public static class JsonWebToken
{
public static string Create(X509Certificate2 certificate, string clientId, string tokenEndpoint) =>
new JsonWebTokenHandler()
.CreateToken(
new SecurityTokenDescriptor
{
Issuer = clientId,
Audience = tokenEndpoint,
IssuedAt = DateTime.UtcNow,
NotBefore = DateTime.UtcNow,
Expires = DateTime.UtcNow.AddMinutes(5),
Subject = new ClaimsIdentity(
new List<Claim>
{
new("sub", clientId),
new("jti", Guid.NewGuid().ToString())
}
),
SigningCredentials = new X509SigningCredentials(certificate)
});
}
const string certPath = "/home/andreas/Desktop/MyCert.pfx";
const string certPass = "MyPassword";
var certificates = new X509Certificate2Collection();
certificates.Import(certPath, certPass, X509KeyStorageFlags.PersistKeySet);
const string tokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
var jsonWebToken = JsonWebToken.Create(certificates[0], clientId, tokenEndpoint);
Console.WriteLine("{0}\n", jsonWebToken);
```
The result of this it then copied into the form field in the request above to obtaint the access token.
With that you are the able to make the restore endpoint for the specific item in the trash bin:
```curl
curl --location --request POST 'https://finn.sharepoint.com/sites/openprojectfilestoragetests/_api/web/RecycleBin('{{fileId}}')/restore()' \
--header 'Authorization: Bearer accessToken'
```
Some things are still unclear. If an item was deleted via the web UI it does not show up in the request result of the recycle bin, but is listed in the web UI's trash bin.
* [https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials)
* [https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate)
* [https://github.com/kongmengfei/sharedproject](https://github.com/kongmengfei/sharedproject)
* [https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/confidential-client-assertions#alternative-method](https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/confidential-client-assertions#alternative-method)
* [https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest)
* https://learn.microsoft.com/en-us/graph/api/recyclebin-list-items?view=graph-rest-beta&tabs=http
To delete an item via the API, you can use the following request:
```curl
curl --location --request DELETE 'https://graph.microsoft.com/v1.0/drives/{{dirveId}}/items/{{itemId}}' \
--header 'Authorization: Bearer xyz'
```
That will move the item into the trash bin of your Sharepoint site.
To list the trash bin there is a beta API available for the Graph-API:
```curl
curl --location 'https://graph.microsoft.com/beta/sites/{{siteId}}/recycleBin/items/' \
--header 'Authorization: Bearer xyz'
```
To finally restore an item you need to have set up JWT token authentication for the Sharepoint API. In order to do that, you need to have a certificate and secret prepared and the secret uploaded to the Azure APP creadentials page:
<img class="op-uc-image op-uc-image_inline" style="width:852px;" src="/api/v3/attachments/86121/content">
To create a certificate I attached a script you can run: `cert.sh`. You need to prepare the certificate an the key before you can actually use them:
```shell
penssl pkcs12 -in MyCert.pfx -nocerts -out MyCert.pem
openssl rsa -in MyCert.pem -out MyKey.pem
```
You can upload `MyCert.pem` to the Azure App and leave the `MyKey.pem` alone.
\-------------------
Next thing is, to create a JWT token. For this to happen, you need to make a request to you tenant:
```curl
curl --location 'https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token' \
--form 'grant_type="client_credentials"' \
--form 'client_id="{{clientId}}"' \
--form 'scope="https://finn.sharepoint.com/.default"' \
--form 'tenant="{{tenantId}}"' \
--form 'client_assertion="{{clientAssertion}}"' \
--form 'client_assertion_type="urn:ietf:params:oauth:client-assertion-type:jwt-bearer"'
```
In order to obtain the \`client\_assertion\` to need to actuallt create the JWT. I wrote a program with C# as I was in the context of researching Microsoft docs and found some things that just worked out of the box. They need to be translated to Ruby or another micro service:
```csharp
public static class JsonWebToken
{
public static string Create(X509Certificate2 certificate, string clientId, string tokenEndpoint) =>
new JsonWebTokenHandler()
.CreateToken(
new SecurityTokenDescriptor
{
Issuer = clientId,
Audience = tokenEndpoint,
IssuedAt = DateTime.UtcNow,
NotBefore = DateTime.UtcNow,
Expires = DateTime.UtcNow.AddMinutes(5),
Subject = new ClaimsIdentity(
new List<Claim>
{
new("sub", clientId),
new("jti", Guid.NewGuid().ToString())
}
),
SigningCredentials = new X509SigningCredentials(certificate)
});
}
const string certPath = "/home/andreas/Desktop/MyCert.pfx";
const string certPass = "MyPassword";
var certificates = new X509Certificate2Collection();
certificates.Import(certPath, certPass, X509KeyStorageFlags.PersistKeySet);
const string tokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
var jsonWebToken = JsonWebToken.Create(certificates[0], clientId, tokenEndpoint);
Console.WriteLine("{0}\n", jsonWebToken);
```
The result of this it then copied into the form field in the request above to obtaint the access token.
With that you are the able to make the restore endpoint for the specific item in the trash bin:
```curl
curl --location --request POST 'https://finn.sharepoint.com/sites/openprojectfilestoragetests/_api/web/RecycleBin('{{fileId}}')/restore()' \
--header 'Authorization: Bearer accessToken'
```
Some things are still unclear. If an item was deleted via the web UI it does not show up in the request result of the recycle bin, but is listed in the web UI's trash bin.
* [https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials)
* [https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate)
* [https://github.com/kongmengfei/sharedproject](https://github.com/kongmengfei/sharedproject)
* [https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/confidential-client-assertions#alternative-method](https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/web-apps-apis/confidential-client-assertions#alternative-method)
* [https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest)
* https://learn.microsoft.com/en-us/graph/api/recyclebin-list-items?view=graph-rest-beta&tabs=http